29281 – Possible wrong description of --limit option in iptables chapter

Bug 29281 - Possible wrong description of --limit option in iptables chapter

Summary: Possible wrong description of --limit option in iptables chapter

Status:	RESOLVED FIXED

Alias:	None

Product:	[OLD] Docs-user
Classification:	Unclassified
Component:	Gentoo Security Guide (show other bugs)
Hardware:	All Linux

Importance:	High normal (vote)
Assignee:	Sven Vermeulen (RETIRED)

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2003-09-21 11:53 UTC by Sune Kloppenborg Jeppesen
Modified:	2003-09-22 05:06 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Fix (gentoo-security-1.16-limit.diff,720 bytes, patch) 2003-09-21 11:56 UTC, Sune Kloppenborg Jeppesen	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sune Kloppenborg Jeppesen 2003-09-21 11:53:38 UTC

I think the description of --limit 1/s option for iptables is wrong. According to my reading 
of man iptables it should mean that only one SYN packet is accepted each second 
regardless of its source? 
 
Mentioned paragraph: 
 
This is where the rate limit becomes handy. It is possible to limit the number of SYN 
packets from a single source but using the <c>-m limit --limit 1/s</c>. This will limit the 
SYN packets to one per source and therefor restricting the SYN flood on our resources.

Comment 1 Sune Kloppenborg Jeppesen 2003-09-21 11:56:15 UTC

Created attachment 18089 [details, diff]
Fix

Possible fix.

Comment 2 Sven Vermeulen (RETIRED) gentoo-dev

2003-09-22 04:51:24 UTC

You're right. The whole idea behind rate-limiting to fight off SYN-floods is to restrict the amount of SYN-packets in general, not sourcebased. Fix approved :)

Comment 3 Sven Vermeulen (RETIRED) gentoo-dev

2003-09-22 05:06:06 UTC

committed. Thanks again!